Posts filed under ‘Canada’

It’s interesting to see how booze seems to bring up great questions of identity and privacy. Or maybe it’s just the Canadians?

Canadian Dick Hardt uses buying booze as an example in his famous Identity 2.0 presentation and makes very interesting points about using ID, such as a drivers licence, to buy booze.

Now comes another angle from Canada involving booze: if your ID is scanned when entering a bar, would that make you behave? That was one of the issues at the heart of a case decided by the Information and Privacy Commissioner of Alberta.

The Tantra Nightclub in Calgary had a practice of scanning driver licences before allowing people in. Clearly it is collecting and storing personal information as it includes an individual’s photograph, license number, birth date, address, and bar codes with embedded information unique to the individual driver’s license.

The club says that “We’ve got hard data that it works, we have inthat says crime and violence is down in our venues by over 77%.” On the other hand, the Information and Privacy Commissioner described ID scanning as a deterrent to violent behaviour “conjecture” not backed up by hard data and ordered the club to stop the practice.

In terms of consent, the only thing that the complainant agreed to was the club confirming his date of birth off the licence.

This is precisely the kind of situation that the Laws of Identity frowns upon in digital identity systems, in particular User Control and Consent; Minimal Disclosure for a Constrained Use; and Directed Identity. And another example of unjustified expectations from ID cards that knowing a person’s identity somehow magically solves most societal problems.

I spend a lot of my working day thinking about identity-related online services. Protection of privacy in these services is axiomatic. Not only does it make good sense to me, it’s also mandated as one of the policy principles by Cabinet.

The 2007 Privacy & Human Rights Report issued by Privacy International provides a reality check. Across the 47 countries surveyed, the Report says that, “The 2007 rankings indicate an overall worsening of privacy protection across the world, reflecting an increase in surveillance and a declining performance of privacy safeguards.”

New Zealand gets a red colour indicating “Systemic failure to uphold safeguards” as does Australia. Canada gets a yellow for “Some safeguards but weakened protections” while USA and UK get a black for being “Endemic surveillance societies.” Top of the heap is Greece but even it gets only a 3.1 rating out of 5.

The Report lists nine key aspects for New Zealand’s ranking. This seems to have prompted a leading blogger in The New Zealand Herald to call it ‘Systematic failure’ to protect our privacy who goes on to say “From biometric passports to greater sharing of information among Government departments to greater use of surveillance technology, we would certainly seem to be following the lead of countries in the black category. But privacy is a touchy issue for Kiwis and rightly so. Just listen to talkback radio whenever talk of a national ID card emerges in the media.”

According to the Report, of particular concern for NZ is:

– “Court of appeal has had some problematic decisions regarding privacy complaints” and

– “DNA database based on order from high court judge, violent crimes, and convicted burglars; though voluntary samples can be included and increasingly this is being pushed by the police, resulting in more than 80% of samples on database being given ‘voluntarily’.”

I think what’s missing from the Report is people’s perception of the state of privacy in the country being reviewed. Perceptions can be as (if not more) important than the reality.

On that front, in my opinion NZ is doing fine but, as the Report shows, things could be better.

Given the privacy slant of the video, perhaps the source of the video is not so surprising- the Privacy Commissioner of Canada’s blog. Showing a great understanding of the target market, the video has also been put on YouTube. A good example of effective Web 2.0 use by government.

Unfortunately, the people who really need to understand and act on this message are unlikely to do so. It’s not that these people don’t know the dangers- they just don’t act on it. And that remains a core problem of addressing the downsides of social networking and protecting people from the dangers they continue to expose themselves to.

From the outside, it seems that one of the central beliefs in the US government is that if they can collect every person’s biometrics on Earth and put that into a database, then they can substantially solve all their security problems. Federal authorities have pursued this approach almost single-mindedly over the past few years.

Sometimes these efforts have been overt. A good example is the US-VISIT Program where visitors to the US have to endure lengthy delays as everyone’s fingerprints (currently both index fingers but soon all ten) and photograph are taken.

For me personally, after a 12-13 hours flight, the thought of another two hours standing in a line to get my fingers squashed by a “friendly” official so that the fingerprint reader gets an acceptable reading within a couple of attempts means that I try to avoid travelling to or via the US altogether.

In classic government doublespeak, the benefits of US-VISIT are touted as “Protects the privacy of our visitors” and “demonstrate that we remain a welcoming nation.” Yeah, right!

Sometimes the US efforts to collect the biometrics of every single human being have been more subtle. I think the current “Server in the Sky” concept falls into this category. Police from the International Information Consortium (US, UK, Canada, Australia, and NZ) will be able to exchange biometrics and personal information about criminals and suspects. New Zealand is “considering joining the consortium.”

These five countries already share intelligence amongst themselves and co-operate in running Echelon, the global eavesdropping service that can listen into telephone, radio, and email communication.

What’s subtle about this is that anything submitted for matching also gets added to the US biometrics database. And that’s another step forward in the grand plan to collect the world’s biometrics.

What’s wrong with this? Why shouldn’t we all do our bit in the fight against global terror and criminals? If you haven’t done anything wrong, surely you have nothing to fear from having your biometrics in a US database?

You do… because the central belief that collecting the world’s biometrics will substantially solve all the US’s security problems is wrong. Because the US federal authorities have not proven themselves worthy of such trust. Because the US has a long history of subsequent misuse to achieve more pressing national security concerns. Because “acceptable collateral damage” from data inaccuracies means a lot of grief for some innocent people.

As the last post for the year, there was a temptation to look back and reflect on the past year. All that changed after I heard a recording of Jon Udell interviewing Dick Hardt in IT Conversations. It made me realise how the real opportunities and challenges lie ahead of us, not behind.

New Zealand’s approach, GOAAMS delivered under the “igovt” banner, is perhaps best understood from the 2007 IDDY Award webcast. Both the slides and the webcast recording (needs WebEx Player) are now available.

The drivers that Dick articulated for BC are the same for NZ:

– better service delivery that requires information held across various government departmental and organisational silos to somehow be brought together in a secure and privacy-protective manner; and

– giving citizens better access to the information held about them by government.

However, the implementation paths are different. The BC project is based on Info Cards while the NZ one will probably go down the Liberty Alliance’s specs path but allowing Info Cards as an optional UI.

One thing everyone will agree with is that both implementation paths have their own pros and cons. Over time, hopefully differences will not matter too much but given the current state of interoperability, they do. And that translates into substantial differences in architecture, customer experience, the “mental model”, requirements on information providers, ability to join up service delivery, and the uptake strategy.

While the similarities in outcomes between the BC and NZ approaches are important, it is the differences in implementation that provide a great insight into the opportunities and challenges for both governments. Work on comparing and contrasting the two should throw up areas that both governments need to consider in their respective efforts.

To me, that is a very important piece of work to do next year.

In the meantime, it’s time to get the barbie (BBQ) going and break out the beer. I hope you have a great holiday and, like me, come back refreshed and ready for a cracker year ahead.

Even though I have no connection with Passport Canada, for some reason I’m feeling terribly let down by them.

My disappointment may stem from an agency making an elementary security mistake and, rather than fixing the problem, repeating it and looking foolish.

Or, it might be that it is incidents like these that collectively undermine trust people have in dealing with government agencies online.

Sigh…government agencies dealing with sensitive personal information simply have to do better.

What happened? According to Globe and Mail, a security flaw in their website allowed passport applicants to view the personal details (including social insurance number, date of birth, address, driver’s licence number, and gun ownership) of other applicants by simply changing one character in the URL displayed in the address bar. A very, very basic mistake and, worse, evidence of appalling testing.

The site was taken down but when it was put up again, a few key strokes were still all it took to reveal personal information. All the while, Passport Canada was in a public denial mode.

Their website says about Web Security that “Passport Canada is taking the measures necessary to protect the confidentiality of the personal information you provide and to ensure that your electronic transactions with us are secure.”

The problem is, when fine words don’t match reality, public cynicism results. And that hurts.

I was recently discussing with a colleague about the differences in peoples’ attitude to privacy in New Zealand and Singapore. He thought most of it could be explained by differences in culture.

To illustrate his point, he sent me a link to a very interesting website that is based on work done by Prof Geert Hofstede. Prof Hofstede developed a framework for scoring countries on five dimensions: Power Distance, Individualism, Masculinity, Uncertainty Avoidance, and Long Term Orientation.

While it’s possible to see the rating of countries individually, what’s really useful is to compare pairs of countries. Sure enough, comparing New Zealand with Singapore showed the huge variations between the two countries.

I tried a few more combinations and, based on my own opinion about various cultures, found his assessment to be pretty accurate. For example, New Zealand-Canada showed striking similarities and the privacy approach between the two are in fact quite aligned.

As expected, New Zealand-Australia showed similar scoring on all the five dimensions. Not quite sure why Australia is higher on every dimension though.

This approach is of course bordering on stereotyping but, at a sweeping generalisation level with country = culture, it does provide an easy way to see how attitudes to privacy are rooted in culture.